The signed pipelines feature is a verification system that determines which pipelines/steps generated a specific artifact. It provides users with a way to ensure that their artifacts have not been tampered with before these artifacts are promoted through the CI/CD workflow. The signing process creates trust, and provides a way to validate the immutability of the artifacts and the authenticity of packages. This means, if the authenticity of artifacts cannot be verified, they can be blocked.
In addition, the signed pipelines feature builds comprehensive metadata, called pipeinfo. This provides complete visibility and audit for each step and run, which can be viewed in the UI.
Note
The signed pipelines feature is available with Enterprise+ license only.
The signed pipelines feature is available for buildinfo and Go binaries only.
The signed pipelines feature is enabled by default. To disable this feature, in the Core Services Configurations section in the Pipelines System YAML, set the
signedPipelinesEnabledtag asfalse.
The following topics review information related to Signed Pipelines: